So… Your Passwords Got Hacked. Now What?

You’ve painstakingly changed every password you have in existence, thrown the hackers out of your accounts, and now you are dreading repeating this whole experience. The key to avoiding this is understanding the main risks the authentication processes may face and how to secure them. Our teacher, Jose Carniero, will be your right hand man in making sure this doesn’t happen again.

This explanation is beginner friendly, but feel free to access all the coding used for this article by visiting Jose’s github. There are a few assumptions that should be made when creating or working with an application to make sure that minimum potential security issues are covered:

• Traffic is encrypted (HTTPS) 
• Users are not having passwords lying around
• Databases are secured
• Passwords are being hashed

What does it mean to hash a password?

Before starting with the different scenarios and vulnerabilities we are going to explain and solve, let’s clarify what it means to hash a password. Hashing passwords is the basic step to protect authentication from a developer’s point of view. Imagine that you are logging in into your Google account: Google won’t save, as we may think, the password as plain text since this would be very risky (whoever has access to the database, will get the password). Instead, Google will save a transformation of the password, from the original text to gibberish. This process is what we call hashing and it’s crucial to make things a bit more complicated for hackers.

For example: if your password is 4623 and we apply a hashing process that transforms the password into 4+6+2+3=15, the hashed password will be 15. Therefore, if there is an attack the hackers will get the number 15 as a password but they won’t know the hashing process and the original password won’t be easily guessed. So… let’s start with the different vulnerabilities and scenarios we may encounter.

Weak password

How can we make our password stronger? What are the main characteristics of a weak password? Well, there are three aspects to keep in mind when creating a password:

• Is it commonly used? We need to make sure that this is not a typical password. For example, we can easily download the list of the most commonly used passwords - these words and codes make it easier for hackers to access our log in.
• Is it short? This criteria is based on statistics. If our password only had 1 character, there would be 68 chances for it to be guessed. If it had 2 characters, the chances would multiply by 68.
• Does it have a limited character set? If the password only has alphanumeric characters, it will be weaker than if it includes special characters.

For example, if an application allows users to authenticate using weak passwords and has a poor hashing process, it can be easily stolen with a bruteforce attack.

What is a Bruteforce Attack?

With the function [bruteforceAuthentication] given a certain email will make a request to the application. The objective is to sign in with that email and one of the passwords included in the most commonly used password list. The function will try every single password until it finds the right one.

The list starts running and it can take this function as little as 1455 attempts and only 31 seconds to find the password. Of course, this is the worst scenario and that’s why more layers of security are important. This is the reason why in every application, developers need to make the user come up with a password that is not in the list. However, the hacker can also try every possibility. So… what other vulnerabilities and solutions can we face?

Poor or no hashing

Let’s imagine we are working with a simple platform that asks for sensitive information such as the email address, password, social security number and credit card number. The password isn’t required to be strong and the algorithm is MD5 (which is a fast hashing algorithm). 

What is the importance of slow versus fast hashing algorithms? Easy! If the algorithm is fast, it will take little time to check all the passwords, whereas if the algorithm is slow it will take longer to get it - and the user experience will be the same. Using the MD5 algorithm is almost like no hashing at all.

The algorithm HashBcrypt is slower and makes the authentication process more secure. Any developer can do it and the user won’t notice the difference. The database analysis is slower, which means that the algorithm we choose can make a big difference: instead of being broken in a few seconds it will be broken in years.

Unlimited Attempts

One way to protect the user passwords is to limit the number of attempts someone can make to access an application. Stopping the authentication process means that the attacker won’t be able to do request after request after request… so the bruteforce attack will be prevented. For example, we could create a function like this: if you make more than 50 requests in 1 hour, your account will be blocked.

Another option is to use the attempt cap solution. In this case, the function will be: if the user tries to authenticate more than 5 times, the account will be blocked.

Single point-of-failure

When the password is the only authentication system to access an application, we say there is a single point of failure. If the attacker gets the passwords, the door is open to all the information. That’s why adding additional authentication factors increases the difficulty for hackers. Some solutions for multi-factor authentication are:

• HOTP: Hmac-based One-Time password algorithm. This is an algorithm that generates a new single used password every X number of tries. For example, Google Authenticator is an app that creates a coder for the user that changes every 50 seconds. This solution is easy to implement, user friendly and increases security significantly.
• SMS or call for verification code. This option is not as good as HOTP because you rely on your SIM card or your phone and someone can impersonate you, but it’s another factor that can increase security.
• Key: having a key connected to the computer is the most secure option, it is an external key that can be on a USB, your phone or any other device.

There you have it, the most common mistakes and vulnerabilities in an authentication process. Hopefully, you’ve saved yourself another password disaster scenario! If you want to take a look at the code itself, check Jose’s github and visit other sites such as Computerphile Youtube channel. If you are willing to learn more about this field, check out our Cybersecurity bootcamp!